ZeroPath at Black Hat USA 2026

Spectra Gutenberg Blocks CVE-2026-7465: Brief Summary of a Contributor-Level RCE via Block Callback Injection

A short review of CVE-2026-7465, a CVSS 8.8 Remote Code Execution vulnerability in the Spectra Gutenberg Blocks WordPress plugin affecting 1M+ sites. Covers the two-block exploitation mechanism, the one-line patch in version 2.19.26, and the vendor's recurring security issues.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-30

Spectra Gutenberg Blocks CVE-2026-7465: Brief Summary of a Contributor-Level RCE via Block Callback Injection
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single line of PHP in a WordPress plugin installed on over one million websites was silently passing user controlled data into a block type registration call, allowing any Contributor level user to register an arbitrary PHP function as a rendering callback and then trigger its execution in the same page request. CVE-2026-7465 is a CVSS 8.8 Remote Code Execution vulnerability in the Spectra Gutenberg Blocks plugin (formerly Ultimate Addons for Gutenberg) by Brainstorm Force, and its two stage exploitation mechanism through the Gutenberg block rendering pipeline makes it both architecturally interesting and practically dangerous.

Spectra Gutenberg Blocks is a popular WordPress plugin that extends the native block editor with additional design and layout blocks. With over 1,000,000 active installations and a 4.7 star rating from nearly 1,900 reviews, it is one of the most widely deployed block editor extensions in the WordPress ecosystem. The plugin is developed by Brainstorm Force, a Pune based company with over 130 team members whose products (including the Astra theme) are used by millions of WordPress sites globally.

Technical Information

Root Cause

The vulnerability lives in the render_block() method of classes/class-uagb-init-blocks.php, specifically around lines 330 and 335 of the vulnerable version (2.19.25). This method hooks into WordPress's render_block filter and fires on every block rendered on the frontend.

To support WordPress 6.9's "Hide Blocks" feature, the Spectra plugin introduced logic to dynamically register any uagb/ prefixed block type that was not already present in the WP_Block_Type_Registry. The problem was in how it performed that registration. At line 335 of the vulnerable version, the code executed:

$registry->register( $block['blockName'], $block['attrs'] );

The $block['attrs'] array is parsed directly from serialized post content. In WordPress, any user with Contributor level access or above can author post content. WordPress's register_block_type() function accepts a render_callback key inside its arguments array. If present, this callable is stored in the block type registry and later invoked via call_user_func() whenever a block of that type is rendered.

Because $block['attrs'] was passed wholesale to the registration function, an attacker could embed a render_callback key pointing to any arbitrary PHP function (such as system, exec, or passthru) within the block attributes of a crafted uagb/ prefixed block.

Attack Flow

The exploitation follows a two stage process within a single page request:

Stage 1: Malicious Block Registration. The attacker creates a post containing a first block with a fabricated block type name using the uagb/ prefix (for example, uagb/evil). This block's attributes include a render_callback key pointing to an attacker chosen PHP function. When the Spectra plugin's render_block() method encounters this block, it checks the WP_Block_Type_Registry, finds that uagb/evil is not registered, and calls $registry->register( 'uagb/evil', $block['attrs'] ). The malicious render_callback is now stored in the block type registry.

Stage 2: Callback Invocation. A second block of the same fake type (uagb/evil) is embedded in the same post content. When WordPress's sequential block rendering pipeline reaches this second block, the block type is now registered (from Stage 1). WordPress core's render_block_data pipeline invokes the registered render_callback via call_user_func(), executing whatever PHP function the attacker specified.

This two block design is notable because it separates the malicious callback registration from its invocation. Each block individually may appear benign; the exploit only manifests when both blocks are processed in sequence during the same rendering cycle.

Attack Vector Summary

ParameterDetail
Authentication RequiredYes, Contributor level or above
User InteractionNone required
Attack ComplexityLow
Network AccessRemote
ScopeUnchanged
Maximum ImpactComplete server compromise (RCE)
Exploitation PatternTwo block payload in single post content

An important nuance: the Contributor role in WordPress is the second lowest user role, above Subscriber. Contributors can create and edit their own posts but cannot publish them. However, the exploit payload is embedded in post content, and even saving a draft can trigger the block registration and rendering pipeline when the post is previewed or reviewed by an editor. This means a Contributor can weaponize a draft post without requiring publish permissions.

Discovery Credit

The vulnerability was discovered by security researcher kai63001 (Supanat Konprom) and reported through Wordfence's vulnerability disclosure program.

Patch Information

The Spectra development team shipped the fix in version 2.19.26, released on May 4, 2026. The patch is a precisely targeted, single line change inside the render_block() method of classes/class-uagb-init-blocks.php.

In the vulnerable version (2.19.25 and earlier), the registration call at line 335 was:

$registry->register( $block['blockName'], $block['attrs'] );

In the patched version (2.19.26), this was changed to:

$registry->register( $block['blockName'], array() );

By replacing $block['attrs'] with an empty array(), the fix ensures that no user controlled data is passed to the block type registration. The block is still registered as a stub (satisfying the WordPress 6.9 compatibility requirement for the "Hide Blocks" feature), but it carries no render_callback, no attacker specified arguments, and nothing exploitable. This single line change completely severs the trust chain between user authored content and PHP callable registration.

The plugin changelog for version 2.19.26 confirms: "This update addressed a security bug. Props to Wordfence for reporting it responsibly." The latest available version at the time of disclosure is 2.19.28. Site administrators should update to 2.19.26 or later immediately.

The vulnerable and patched source files can be compared directly:

Compensating Controls

If immediate update is not feasible, the following measures can reduce risk:

  • Restrict Contributor and Author roles: Since exploitation requires Contributor level access or above, limiting the number of users with posting privileges directly reduces the attack surface. Audit all user accounts and remove or downgrade any that are not essential.
  • Deploy WAF rules: Configure rules to inspect incoming post content for suspicious uagb/ prefixed block registrations that include render_callback attributes referencing non standard PHP functions. Wordfence Premium can provide virtual patching rules for this vulnerability.
  • Search for existing payloads: Query the WordPress database for post content containing uagb/ prefixed block types with unusual render_callback attributes to identify previously inserted exploit payloads.
  • Temporarily deactivate the plugin: If Spectra is not critical to site functionality, deactivating it entirely eliminates the attack vector until a patched version can be installed.

Affected Systems and Versions

All versions of the Spectra Gutenberg Blocks plugin (also known as Ultimate Addons for Gutenberg) up to and including version 2.19.25 are vulnerable. This encompasses every release of the plugin from its initial availability on June 13, 2018 through the vulnerable version.

The vulnerability is exploitable on any WordPress installation where:

  • The Spectra Gutenberg Blocks plugin is installed and active at version 2.19.25 or below
  • At least one user account exists with Contributor level access or higher

Version 2.19.26 and later are not affected.

Vendor Security History

Brainstorm Force has a documented pattern of security vulnerabilities in the Spectra plugin. Multiple CVEs have been assigned across 2024 through 2026:

CVETypeSeverityYear
CVE-2026-7465Remote Code Execution8.8 (High)2026
CVE-2026-42648Missing AuthorizationNot fully populated in NVD2026
CVE-2026-24982Missing AuthorizationNot fully populated in NVD2026
CVE-2026-0950Information DisclosureListed in NVD2026
CVE-2025-11162Stored Cross Site ScriptingListed in CVE Details2025
CVE-2024-10484Stored XSS via Team WidgetListed in NVD2024

The plugin's changelog reveals five security related patches in approximately eight months:

VersionRelease DateReported By
2.19.26May 4, 2026Wordfence
2.19.23April 21, 2026Patchstack
2.19.21March 12, 2026Not specified
2.19.18January 20, 2026Wordfence and Patchstack
2.19.15October 3, 2025Wordfence

The recurrence of privilege management failures (CWE-269 for this CVE, alongside multiple Missing Authorization CVEs) suggests a structural weakness in how the plugin validates permissions and callbacks, rather than isolated coding errors. While Brainstorm Force has been responsive in issuing patches, the frequency of discoveries by independent researchers indicates that the plugin's security architecture would benefit from a comprehensive audit. Organizations should evaluate whether to continue relying on this plugin for production sites, or restrict it to trusted editor only environments.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization